Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.72' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 33.620111] audit: type=1400 audit(1601860759.961:8): avc: denied { execmem } for pid=6342 comm="syz-executor266" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 33.636437] REISERFS (device loop0): found reiserfs format "3.5" with standard journal [ 33.650798] REISERFS (device loop0): using ordered data mode [ 33.657198] reiserfs: using flush barriers [ 33.663239] REISERFS (device loop0): journal params: device loop0, size 8192, journal first block 18, max trans len 1024, max batch 900, max commit age 30, max trans age 30 [ 33.679841] REISERFS (device loop0): checking transaction log (loop0) [ 34.278607] ================================================================== [ 34.286056] BUG: KASAN: use-after-free in reiserfs_read_locked_inode+0x2028/0x2190 [ 34.293742] Read of size 4 at addr ffff88807cbeb000 by task syz-executor266/6342 [ 34.301265] [ 34.302869] CPU: 1 PID: 6342 Comm: syz-executor266 Not tainted 4.14.198-syzkaller #0 [ 34.310721] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.320065] Call Trace: [ 34.322713] dump_stack+0x1b2/0x283 [ 34.326324] print_address_description.cold+0x54/0x1d3 [ 34.331579] kasan_report_error.cold+0x8a/0x194 [ 34.336240] ? reiserfs_read_locked_inode+0x2028/0x2190 [ 34.341603] __asan_report_load_n_noabort+0x6b/0x80 [ 34.346609] ? reiserfs_read_locked_inode+0x2028/0x2190 [ 34.351946] reiserfs_read_locked_inode+0x2028/0x2190 [ 34.357112] ? sd_attrs_to_i_attrs+0x230/0x230 [ 34.361670] ? __ww_mutex_wakeup_for_backoff+0x160/0x210 [ 34.367100] reiserfs_fill_super+0x1517/0x28b6 [ 34.371659] ? reiserfs_remount+0x1390/0x1390 [ 34.376205] ? lock_downgrade+0x740/0x740 [ 34.380352] ? snprintf+0xa5/0xd0 [ 34.383783] ? ns_test_super+0x50/0x50 [ 34.387645] ? set_blocksize+0x125/0x380 [ 34.391686] mount_bdev+0x2b3/0x360 [ 34.395287] ? reiserfs_remount+0x1390/0x1390 [ 34.399756] mount_fs+0x92/0x2a0 [ 34.403173] vfs_kern_mount.part.0+0x5b/0x470 [ 34.407643] do_mount+0xe53/0x2a00 [ 34.411171] ? retint_kernel+0x2d/0x2d [ 34.415032] ? copy_mount_string+0x40/0x40 [ 34.419242] ? memset+0x20/0x40 [ 34.422508] ? copy_mount_options+0x1fa/0x2f0 [ 34.426994] ? copy_mnt_ns+0xa30/0xa30 [ 34.430855] SyS_mount+0xa8/0x120 [ 34.434309] ? copy_mnt_ns+0xa30/0xa30 [ 34.438171] do_syscall_64+0x1d5/0x640 [ 34.442054] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 34.447217] RIP: 0033:0x446f4a [ 34.450394] RSP: 002b:00007ffea32af388 EFLAGS: 00000297 ORIG_RAX: 00000000000000a5 [ 34.458073] RAX: ffffffffffffffda RBX: 00007ffea32af3e0 RCX: 0000000000446f4a [ 34.465316] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffea32af3a0 [ 34.472572] RBP: 00007ffea32af3a0 R08: 00007ffea32af3e0 R09: 00007ffe00000015 [ 34.479814] R10: 0000000000000000 R11: 0000000000000297 R12: 0000000000000006 [ 34.487058] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 34.494319] [ 34.495919] The buggy address belongs to the page: [ 34.500836] page:ffffea0001f2fac0 count:0 mapcount:0 mapping: (null) index:0x1 [ 34.508967] flags: 0xfffe0000000000() [ 34.512741] raw: 00fffe0000000000 0000000000000000 0000000000000001 00000000ffffffff [ 34.520605] raw: ffffea0001f2fb20 ffff8880aeb2ed48 0000000000000000 0000000000000000 [ 34.528456] page dumped because: kasan: bad access detected [ 34.534137] [ 34.535735] Memory state around the buggy address: [ 34.540633] ffff88807cbeaf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.547977] ffff88807cbeaf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.555320] >ffff88807cbeb000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 34.562661] ^ [ 34.566000] ffff88807cbeb080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 34.573344] ffff88807cbeb100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 34.580673] ================================================================== [ 34.588001] Disabling lock debugging due to kernel taint [ 34.593550] Kernel panic - not syncing: panic_on_warn set ... [ 34.593550] [ 34.600913] CPU: 1 PID: 6342 Comm: syz-executor266 Tainted: G B 4.14.198-syzkaller #0 [ 34.610005] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.619343] Call Trace: [ 34.621908] dump_stack+0x1b2/0x283 [ 34.625528] panic+0x1f9/0x42d [ 34.628693] ? add_taint.cold+0x16/0x16 [ 34.632641] ? ___preempt_schedule+0x16/0x18 [ 34.637027] kasan_end_report+0x43/0x49 [ 34.640979] kasan_report_error.cold+0xa7/0x194 [ 34.645623] ? reiserfs_read_locked_inode+0x2028/0x2190 [ 34.650961] __asan_report_load_n_noabort+0x6b/0x80 [ 34.655966] ? reiserfs_read_locked_inode+0x2028/0x2190 [ 34.661313] reiserfs_read_locked_inode+0x2028/0x2190 [ 34.666475] ? sd_attrs_to_i_attrs+0x230/0x230 [ 34.671043] ? __ww_mutex_wakeup_for_backoff+0x160/0x210 [ 34.676481] reiserfs_fill_super+0x1517/0x28b6 [ 34.681036] ? reiserfs_remount+0x1390/0x1390 [ 34.685520] ? lock_downgrade+0x740/0x740 [ 34.689641] ? snprintf+0xa5/0xd0 [ 34.693066] ? ns_test_super+0x50/0x50 [ 34.696937] ? set_blocksize+0x125/0x380 [ 34.700986] mount_bdev+0x2b3/0x360 [ 34.704601] ? reiserfs_remount+0x1390/0x1390 [ 34.709068] mount_fs+0x92/0x2a0 [ 34.712413] vfs_kern_mount.part.0+0x5b/0x470 [ 34.716881] do_mount+0xe53/0x2a00 [ 34.720395] ? retint_kernel+0x2d/0x2d [ 34.724262] ? copy_mount_string+0x40/0x40 [ 34.728481] ? memset+0x20/0x40 [ 34.731738] ? copy_mount_options+0x1fa/0x2f0 [ 34.736207] ? copy_mnt_ns+0xa30/0xa30 [ 34.740066] SyS_mount+0xa8/0x120 [ 34.743493] ? copy_mnt_ns+0xa30/0xa30 [ 34.747357] do_syscall_64+0x1d5/0x640 [ 34.751233] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 34.757274] RIP: 0033:0x446f4a [ 34.760437] RSP: 002b:00007ffea32af388 EFLAGS: 00000297 ORIG_RAX: 00000000000000a5 [ 34.768119] RAX: ffffffffffffffda RBX: 00007ffea32af3e0 RCX: 0000000000446f4a [ 34.775372] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffea32af3a0 [ 34.782629] RBP: 00007ffea32af3a0 R08: 00007ffea32af3e0 R09: 00007ffe00000015 [ 34.789893] R10: 0000000000000000 R11: 0000000000000297 R12: 0000000000000006 [ 34.797136] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 34.805444] Kernel Offset: disabled [ 34.809053] Rebooting in 86400 seconds..